Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

mvzip with fillnull for converting json to table

pasokkum
Path Finder
‎10-04-2016 03:48 AM

Hi,

I want to convert a json file to table format.. JSON structure is
"Settings": {
"Employee": [
{
"name": "EF",
"Domain": "JAVA",
},
{
"name": "CD",
"Domain": ".NET",
},
{
"name": "AB",
"Domain": "SQL",
} ]
"Student": [
{
"name": "EF",
"Domain": "CSE",
},
{
"name": "AB",
"Domain": "IT",
} ]
}
When i use the following query,

index=myindex | rename Settings.Employee{}.name as nameEmployee Settings.Employee{}.Domain as DomainEmployee Settings.Student{}.name as nameStudent Settings.Student{}.Domain as DomainStudent | eval x = mvzip(mvzip(mvzip(nameEmployee,DomainEmployee,"?"),nameStudent,"?"),DomainStudent,"?") | mvexpand x | eval x = split(x,"?") | eval nameEmployee=mvindex(x,0) | eval DomainEmployee =mvindex(x,1) | eval nameStudent =mvindex(x,2) | eval DomainStudent =mvindex(x,3) | table nameEmployee DomainEmployee nameStudent DomainStudent

I am getting the following table,
alt text
I am expecting a table like this with null values also
alt text

Pls help..! Thanks in advance!

Tags (4)
Preview file
4 KB
Preview file
5 KB
0 Karma
Reply

somesoni2
Revered Legend
‎10-04-2016 08:41 AM

Try something like this

index=myindex | rename Settings.Student{}.* as *Student Settings.Employee{}.* as *Employee | eval emp=mvzip(nameEmployee,DomainEmployee,"#") | eval std=mvzip(nameStudent,DomainStudent,"#") | table emp std | mvexpand emp | rex field=emp "(?<nameEmployee>.+)#(?<DomainEmployee>.+)" | mvexpand std | rex field=std "(?<nameStudent>.+)#(?<DomainStudent>.+)" | fields - emp std | foreach *Student [eval <<FIELD>>=if(nameStudent=nameEmployee,<<FIELD>>,null())] | stats values(*Student) as *Student by nameEmployee DomainEmployee
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...